IBM Support

PH48187: LTPAToken validation failure for users with space characters in the user name caused by PH47867

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.


APAR status

  • Closed as program error.

Error description

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty - Security                   *
    * PROBLEM DESCRIPTION: LTPAToken validation failure for users  *
    *                      with space characters in the user name  *
    *                      caused by PH47867                       *
    * RECOMMENDATION:                                              *
    LTPAToken validation might fail for users with empty space
    characters in the username after an interim fix or fix pack
    containing APAR PH47867 is installed.
    * Users that perform a login to authenticate to one Liberty
    server might fail to authenticate to other Liberty servers by
    using their LTPAToken2. Users would need to login again on
    Liberty servers.
    * If authentication cache is not enabled, a user can log in,
    might fail to use their LTPAToken2 in subsequent requests to
    other servers or to the same server. In this case, the user
    might have to perform a new login on every request.
    * Users with at least one of the following empty space
    characters in their username are affected:
    Space character, tab character, newline character, carriage-
    return character, and form-feed character.
    * The username can be the short principal name or the full name
    of the user as in the DN for LDAP users.
    Error message that can be found in messages.log:
    CWWKS4001I: The security token cannot be validated. This can be
    for the following reasons
    1. The security token was generated on another server using
    different keys.
    2. The token configuration or the security keys of the token
    service which created the token has been changed.
    3. The token service which created the token is no longer

Problem conclusion

  • The Liberty runtime is updated to handle usernames containing
    empty space characters correctly.
    The fix for this APAR is currently targeted for inclusion in fix
    pack  Please refer to the Recommended Updates page for
    delivery information:

Temporary fix


APAR Information

  • APAR number


  • Reported component name


  • Reported component ID


  • Reported release


  • Status


  • PE




  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date


  • Closed date


  • Last modified date


  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name


  • Fixed component ID


Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"CD0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 August 2022